Consumer Reports is an independent nonprofit organization that works for a fair, safe and transparent marketplace.

Since we were founded as Consumers Union in 1936, we have advocated for the rights of all consumers. Now, we are united under the Consumer Reports name, bringing together our trusted testing, research, journalism, and advocacy.

We hope you will partner with us and our six million members for a better world.

Press Release

CR investigation reveals government among biggest sources of ID leaks

September issue shows penalties rarely imposed on those who are negligent

YONKERS, NY — Americans trust government officials to safeguard sensitive personal and financial data but government is among the biggest sources of ID leaks, according to a Consumer Reports investigation. The report “ID Leaks, A Surprising Source is Your Government at Work,” in the September issue points out that penalties are also rarely imposed on those who are negligent.

CR analyzed records of publicly reported data breaches compiled by the nonprofit Privacy Rights Clearinghouse and found that more than 230 security lapses by federal, state, and local government from 2005 through mid-June 2008 resulted in the loss or exposure of at least 44 million consumer records containing Social Security or driver’s license numbers and other personal data.

That represents almost one out of five ID breeches of all types reported during that period. But even those statistics probably don’t accurately portray the problem. CR reports that a 2006 investigation by the House Oversight and Government Reform Committee found that 788 breaches had occurred in the three and a half years between January 2003 and July 2006 at 17 federal departments and agencies. Few of these incidents were publicly disclosed.

A 2007 report from the Treasury Inspector General for Tax Administration revealed 24 incidents in which IRS laptops containing sensitive data for 480 taxpayers were lost or stolen because IRS
employees put them in checked baggage at an airport, left them in unlocked cars, or lost them on trains or buses. Only one of the employees was disciplined.

What’s more, according to the House Oversight Committee’s annual security report card, the government as a whole got a C for 2007, up from a D+ two years earlier. And several federal departments including the Departments of the Treasury, Veterans Affairs, Agriculture, Interior, and the Nuclear Regulatory Commission got failing grades.

“Only a small portion of data breaches get publicized, and with government data breaches, even fewer get identified because the government, unlike business, doesn’t have a financial incentive to do so,” said Robert Tiernan, managing editor, Consumer Reports. “It’s very important that the government view citizens as their customers and place more value on sensitive information.”
The full report is available in the September issue of Consumer Reports on sale August 5 on newsstands and online atwww.ConsumerReports.org.

The problem is not limited to lost laptops. Social Security numbers are visible on 40 million Medicare cards, as well as military identification cards and public court records throughout the country.
The number of data breaches that result in ID theft is unknown because most victims don’t know how their personal information was obtained. And it might be a year or two before the stolen ID is used.

One Man’s Nightmare
CR recounted how Joe Protain, a 36-year-old surgeon from Warren, Ohio, received a far greater penalty that the $150 fine he paid for speeding. He discovered last year that traffic-court records publicly posted on the Franklin County Municipal Court Web site, including his address and Social Security number, enabled a ring of identity thieves to rack up more than $11,000 worth of charges in his name. He is still trying to recover from the fallout.

One of the suspects confessed the ring used the Franklin County Municipal Court Web site to enter random Social Security numbers, changing one digit at a time until hitting a match with a number belonging to one of the thousands of people whose court records had been posted online since 2001. The records revealed the victim’s name, address, age, and in some cases, driver’s license numbers. That allowed members of the theft ring to obtain a copy of the victim’s credit report and take over existing accounts or open new ones, with bills and purchases sent to a new address.

Data breaches, like Protain’s, in which identity thieves deliberately seek personal information for fraudulent purchases, pose the highest risk of identity theft. But congressional investigators found that unauthorized use of data by government employees and stolen laptops and computer storage devices were the most common sources of federal data losses.

Even the Federal Trade Commission, the agency that imposed fines on businesses for egregious data breaches, disclosed in June 2006 a computer-theft incident: Two of its laptops containing sensitive information for 110 people, including financial-account numbers and Social Security numbers, were stolen when two of the agency’s attorneys left them in a locked car.

How to protect yourself

When a brokerage-firm or retailer has a data leak, consumers can take their business elsewhere,
as almost one-third of breach victims do. But as customers of the government, consumers don’t have a choice about giving personal data to federal, state, and local officials. Consider taking these measures to guard against identity theft:

• Monitor bank and credit-card accounts regularly to spot any questionable charges and
report them immediately.
• Order a copy of your credit report from a different credit-reporting agency every four
months. Consumers are entitled to a free copy from each of the three federal agencies. Go
to www.annualcreditreport.com.
• Consider putting a freeze on your credit files unless you are currently seeking a loan or a
credit card. A credit freeze effectively prevents identity thieves from opening new
accounts in your name. For a list of instructions by state and other information, visitwww.FinancialPrivacyNow.org, a site from Consumers Union.
• If you are involved in a case, contact the court clerk to find out how you can redact
personal information before it is put online.
• Don’t carry your Social Security card in your wallet and shred documents with personally
identifying information, such as driver’s license and financial account numbers, before
discarding them.